CVE-2026-32921
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.
| CWE | CWE-367 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 31, 2026 |
| Last Updated | Mar 31, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
OpenClaw / OpenClaw
0 < 2026.3.8
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6 github.com: https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240 github.com: https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run
Credits
๐ tdjackey